booking.com breach

Summary Message: Working out your Breach Notification during a Breach is a recipe for disaster.

Back in December of 2018, Booking.com experienced a breach, where the company was exploited through a Vishing attack. For those who don’t know, Vishing is the hacking method in which phone calls and voicemail messages pretend to be from reputable companies, convincing users to give out personal information such as banking information, credit card numbers, or other non-public personal information. This is similar to phishing and smishing but uses phone systems and voicemail instead of email or text messages. What makes this breach important is not the breach itself but the subsequent fines issued by the Dutch Data Protection Authority (DPA). Read on to find out why fines were assessed.

How Did It Happen?

According to the report, the attack was conducted against hotels in the United Arab Emirates (UAE), using social engineering tricks over the phone. The hackers called staff at 40 different hotels in the region and talked them into handing over login credentials for hotel accounts in the Booking.com system.

With these stolen credentials, the ‘Vishers’ retrieved data on 4109 customer bookings, including customer’s names, addresses, and phone numbers. Although, the criminals also got hold of credit card data from 283 of those bookings. Hackers even stole 97 CVV’s (3-digit code on the back of the card) which should never be saved in any electronic system!

Monique Verdier, deputy chair of the Dutch Data Protection Authority (DPA) pointed out in the Authority’s report of the breach:

By posing in emails or on the phone as hotel staff, they attempted to steal money from people. Such an approach can seem highly credible if the fraudster knows exactly when you made a booking and what room you booked, then asks you to pay for the nights in question. Large amounts of money can be stolen in this way.

Everything discussed to this point in this article explains how most breaches occur. Very few breached companies receive additional government fines, so what happened to cause that here?

The Breach Happened in 2018

Dutch DPA regulators fined Booking.com almost half a million Euros not because there was a breach, but because the company didn’t report the breach quickly enough:

The Dutch Data Protection Authority (DPA) has imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the DPA. When the breach occurred, criminals obtained the personal data of over 4,000 customers. They also got their hands on the credit card information of almost 300 people.

Timeline
  • December 2018: Data breach started
  • 13 January 2019: Booking.com became aware of the leak.
  • 04 February 2019: Booking.com informed affected customers.
  • 07 February 2019: Booking.com informed the Data Protection Authority.

EU businesses have 72 hours to report a breach from the time they confirmed it occurred. While Booking.com knew a leak had occurred on Jan. 13th, they might not have known the extent of the breach which would require government notification. However, in Jan. at the moment in time that Booking.com confirmed the breach affected more than 500 records, they needed to notify the DPA within 72 hours. They failed to do so, which is why they were fined so heavily.

What Does This Mean For My SMB?

Breach Notifications

Regarding breach notification, it’s extremely important to notify the affected users and applicable agencies like the DPA in Holland quickly. Since 2002 there have been countless data privacy laws enacted all over the world. The US has a patchwork quilt of data privacy laws for each state, but no federal law in effect. In preparing your breach notification process, if you do business internationally, you will need to consider the following regulations:

Sources:

NakedSecurity – Sophos

Wikipedia – Breach Notification Laws